SYMBOLCOMMON_NAMEaka. SYNONYMS
win.smokedham (Back to overview)

SMOKEDHAM

According to Mandiant, SMOKEDHAM is dropped through a powershell script that contains the (C#) source code for this backdoor, which is stored in an encrypted variable. The dropper dynamically defines a cmdlet and .NET class for the backdoor, meaning the compiled code is only found in memory.

References
2022-06-29MandiantJared Wilson
Burrowing your way into VPNs, Proxies, and Tunnels
DarkSide SMOKEDHAM
2022-06-29GoogleJared Wilson
Burrowing your way into VPNs, Proxies, and Tunnels
SMOKEDHAM UNC2465
2021-06-16FireEyeJared Wilson, Justin Moore, Mike Hunhoff, Nick Harbour, Robert Dean, Tyler McLellan
Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise
Cobalt Strike SMOKEDHAM
2021-06-16MandiantJared Wilson, Jordan Nuce, Justin Moore, Mike Hunhoff, Nick Harbour, Robert Dean, Tyler McLellan
Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise
Cobalt Strike SMOKEDHAM
2021-06-16MandiantJared Wilson, Jordan Nuce, Justin Moore, Mike Hunhoff, Nick Harbour, Robert Dean, Tyler McLellan
Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise
DarkSide Cobalt Strike DarkSide SMOKEDHAM UNC2465

There is no Yara-Signature yet.